How Authentication and Authorization Work in Salesforce

When working with Salesforce as a developer, it’s crucial to understand how Authentication and Authorization in Salesforce work. These concepts ensure that only authorized users or systems can access the Salesforce platform and its APIs securely. This guide is designed to explain these ideas intuitively, especially for students who have little or no programming experience.


What Is Authentication and Authorization?

  • Authentication: This is the process of verifying who you are. It ensures that only valid users or systems can access Salesforce.
  • Authorization: This happens after authentication. It checks what the authenticated user or system is allowed to do in Salesforce.

In simpler terms:

  • Authentication answers, “Are you who you say you are?”
  • Authorization answers, “What are you allowed to do?”

How Users Can Authenticate Into Salesforce

Salesforce offers multiple ways to authenticate, ensuring flexibility for various use cases. Here are two common authentication flows used for calling Salesforce APIs:

1. Username-Password Flow

The Username-Password Flow is one of the simplest ways to authenticate. It’s commonly used when a system (like a backend server) needs to log into Salesforce without manual user input.

How It Works:
  1. The system sends a request to Salesforce with the following:
    • Username: The Salesforce username.
    • Password: The user’s password combined with a security token.
    • Client ID and Client Secret: These are like an app’s username and password, issued by Salesforce when the app is registered.
  2. Salesforce validates these credentials.
  3. If successful, Salesforce responds with an access token. This token is used to authenticate API calls.
When to Use:
  • Suitable for server-to-server communication.
  • Not ideal for end-user interactions due to security risks of storing passwords.
Example Request:
POST https://login.salesforce.com/services/oauth2/token
Content-Type: application/x-www-form-urlencoded

grant_type=password
&client_id=<YOUR_CLIENT_ID>
&client_secret=<YOUR_CLIENT_SECRET>
&username=<YOUR_USERNAME>
&password=<YOUR_PASSWORD_WITH_SECURITY_TOKEN>

2. OAuth 2.0 Flow

The OAuth 2.0 Flow is more secure and user-friendly. It’s the preferred method for modern apps, especially when users need to log in themselves.

How It Works:
  1. The user is redirected to a Salesforce login page.
  2. They enter their Salesforce credentials.
  3. Salesforce asks if the user allows the app to access their data.
  4. After consent, Salesforce sends an authorization code back to the app.
  5. The app exchanges this code for an access token.
Types of OAuth 2.0 Flows in Salesforce:
  • Web Server Flow: Used by web applications.
  • User-Agent Flow: Used by single-page applications.
  • JWT Bearer Flow: Used for server-to-server integrations.
Why OAuth 2.0 Is Preferred:
  • More secure as passwords are not directly exchanged.
  • Users control what permissions to grant the app.

How API Authorization Works in Salesforce API Integration

Once a user or system is authenticated, the next step is authorization. This ensures that the authenticated entity can only access the resources it is allowed to.

Key Concepts for API Authorization in Salesforce:
  1. Access Token:
    • After authentication, Salesforce issues an access token.
    • This token must be included in every API request to prove the user/system is authorized.
    Example of a request with an access token:bashCopy codeGET https://yourInstance.salesforce.com/services/data/v57.0/sobjects/Account Authorization: Bearer <ACCESS_TOKEN>
  2. Profiles and Permissions:
    • Every user in Salesforce is assigned a profile.
    • Profiles define what the user can see (object-level permissions) and do (field-level permissions).
  3. Permission Sets:
    • Permission sets can add extra permissions to users without modifying their profiles.
  4. Connected Apps:
    • When integrating Salesforce with external systems, you use a Connected App.
    • The connected app defines the scope of access and requires users to authenticate via OAuth 2.0.
  5. API Limits:
    • Salesforce imposes governor limits to ensure fair usage. Ensure your integrations handle these limits gracefully.

Summary

In Salesforce, authentication and authorization ensure secure access to the platform and its APIs.

  • Username-Password Flow: A simple but less secure method, suitable for server-to-server communication.
  • OAuth 2.0 Flow: A modern, secure, and flexible method, preferred for most use cases.
  • Authorization mechanisms, including access tokens, profiles, and permission sets, control what authenticated users or systems can do.

Understanding these concepts is fundamental to building secure and efficient Salesforce applications. By following best practices for authentication and authorization, you can ensure your integrations are robust and compliant.